Skip to content
This repository has been archived by the owner on May 22, 2021. It is now read-only.

Refine and document our authentication and security mechanisms #32

Open
steve-hb opened this issue Apr 11, 2020 · 4 comments
Open

Refine and document our authentication and security mechanisms #32

steve-hb opened this issue Apr 11, 2020 · 4 comments
Assignees
@steve-hb
Labels
documentation Improvements or additions to documentation epic Big issue containing children refinement needed Something is unclear or not yet specified

Comments

@steve-hb
Copy link
Contributor

We have to refine & document our authentication and security mechanisms.
The current documentation (#31) is included in our graphql schema which is tbh not that great.

Task for refinement: We should use the strength of PBKDF2 and generate random salts for every user which we send to the frontend to stretch the password hashing.
(see https://en.wikipedia.org/wiki/PBKDF2#Purpose_and_operation)

@TheMorpheus407 and @iiestIT could maybe assist us here.
@steve-hb steve-hb self-assigned this Apr 11, 2020
@steve-hb steve-hb added documentation Improvements or additions to documentation refinement needed Something is unclear or not yet specified labels Apr 11, 2020
@steve-hb
Copy link
Contributor Author

steve-hb commented Apr 11, 2020
edited
Loading

This task also includes flow diagrams showing which application sends which data for what purpose to which micro service.
Related: brute force, ip/user ban (#14), DoS protection, deviceId (https://owasp.org/www-community/Slow_Down_Online_Guessing_Attacks_with_Device_Cookies)

This was referenced Apr 11, 2020
Open
Open
Open
@steve-hb steve-hb added the epic Big issue containing children label Apr 11, 2020
@steve-hb
Copy link
Contributor Author

steve-hb commented Apr 11, 2020
edited by JavaDerg
Loading

Maybe this is an epic? I think so:

@steve-hb steve-hb mentioned this issue Apr 11, 2020
Open
@steve-hb
Copy link
Contributor Author

steve-hb commented Apr 11, 2020
edited
Loading

Ah, I forgot something: Service Auth Tokens! We use them for authentication between our micro services to ensure that even an "open" micro service won't accept every request - which should never happen, but who knows? Errare humanum est!

// This would also mean we have to document the headers used for these tokens
@RedstoneMedia I think u or ur team specified this, didn't they?

@JavaDerg
Copy link
Contributor

We have to refine & document our authentication and security mechanisms.
The current documentation (#31) is included in our graphql schema which is tbh not that great.

Task for refinement: We should use the strength of PBKDF2 and generate random salts for every user which we send to the frontend to stretch the password hashing.
(see https://en.wikipedia.org/wiki/PBKDF2#Purpose_and_operation)

@TheMorpheus407 and @iiestIT could maybe assist us here.
Relating to #31
I don't see the issue here, the documentation certainly needs refinement but the we do need to send the password to the server so it can get verifies using the Bcrypt algorithm.
Using this algorithm we don't need to store a seperate salt, because one is already included in the hash.
Or do I miss understand something?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@steve-hb steve-hb

Labels
documentation Improvements or additions to documentation epic Big issue containing children refinement needed Something is unclear or not yet specified
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JavaDerg @steve-hb